uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

1,000+ Fake Cryptocurrency Site

Since at least January 2021, a previously undetected cryptocurrency scam has used a network of over 1,000 shady websites to lure users into a false rewards scheme.

In a report released last week, researchers from Trend Micro linked a Russian-speaking threat actor by the name of "Impulse Team" to a "massive campaign" that "has likely led to thousands of people being scammed worldwide.".

The scheme deceives victims into thinking they have won a specific amount of cryptocurrency using an advanced fee fraud. However, the victims would have to make a small payment to open an account on their website in order to receive their rewards. ".

In order to trick potential targets into visiting the decoy site, the compromise chain begins with a direct message spread via Twitter. The message-sending account has since been deleted.

The message encourages recipients to create an account on the website and use a promo code provided in the message to enter to win a cryptocurrency prize worth 0.78632 bitcoin (or roughly $20,300).

However, once a user creates an account on the fraudulent platform, they are required to activate it by making a minimal deposit of 0.01 bitcoin (roughly $258) in order to verify their identity and finish the withdrawal.

Although significant, the amount required to activate the account is small compared to what users would receive, the researchers said. The recipients who pay the activation fee, however, never receive anything in return, as was to be expected. ".

Between December 24, 2022, and March 8, 2023, the actors received a little over $5 million as a result of the illegal transactions, according to a public Telegram channel that tracks every payment made by the victims.

Hundreds of domains connected to this fraud, some of which were active as early as 2016, were discovered, according to Trend Micro. All of the phony websites are associated with a "scam crypto project" called Impulse, which has been promoted on Russian forums for cybercrime since February 2021.

The business requires affiliate actors to pay a fee to join the program and split a portion of the profits with the original authors, just like ransomware-as-a-service (RaaS) operations.

Threat actors are thought to have created a lookalike version of the well-known anti-scam tool ScamDoc, which assigns a trust score for various websites, in a plausible attempt to pass off the dubious crypto services as reliable.

As evidence that the affiliates are employing a variety of techniques to publicize the fraudulent activity, Trend Micro added that it also came across private messages, online videos, and advertisements on other social networks like TikTok and Mastodon.

The researchers noted that by providing hosting and infrastructure so that its affiliates can manage these phishing websites on their own, the threat actor streamlines operations for its partners. Affiliates are able to focus on other aspects of the business, like managing their own advertising campaigns, as a result. ".

The discovery of the phony giveaway scam comes at the same time as a recent rash of cryptocurrency theft attacks carried out by Pink Drainer, a threat actor who has been exposed for impersonating journalists in order to take over victims' Discord and Twitter accounts and promote phony cryptocurrency schemes.

As of June 11, 2023, data collected by ScamSniffer indicates that Pink Drainer had successfully breached 2,307 accounts to take more than $3.29 million in value in digital assets.

The discoveries also come weeks after Akamai revealed a resurrected Romanian cryptojacking campaign called Diicot (previously Mexals), which uses a Golang-based Secure Shell (SSH) worm module and a new LAN spreader for propagation.

Then, in a report published last month, Elastic Security Labs described how the XMRig cryptocurrency miner was spread throughout several Asian nations using an open-source rootkit known as r77.

R77 is "an ideal tool for cybercriminals looking to carry out stealthy attacks," the researchers said.
"r77's primary purpose is to hide the presence of other software on a system by hooking important Windows APIs.".

The developers of the malicious crypto miner were able to avoid detection and carry out the rest of their campaign undetected by using the r77 rootkit. ".

It's important to note that the Quasar SeroXen remote administration tool, which is being offered for only $30 for a monthly license or $60 for a lifetime bundle, also includes the r77 rootkit.